Open tarunKoyalwar opened 5 days ago
main | latest
id: ldap-obb info: name: ADObject represents an Active Directory object author: pussycat0x severity: high description: | EasyCVR video management platform has leaked user information reference: - https://docs.projectdiscovery.io/templates/protocols/javascript/modules/ldap.ADObject metadata: verified: true shodan-query: ldap tags: unauth,easycvr,misconfig flow: | for(let i = 0; i < 10; i++) { set("data", "${i}") javascript(1) } self-contained: true javascript: - code: | Export(template.data) matchers: - type: dsl dsl: - len(response) > 0
When any template that use flow and contains any sort of loop ( for , while ) is executed , due to implicit storage of variables of every protocol
while this may not have visible effect in javascript but will have significant impact if http protocol is present. it has 2 impacts
./nuclei -t a.yaml -v -svd __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.2.9 projectdiscovery.io [VER] Started metrics server at localhost:9092 [INF] Current nuclei version: v3.2.9 (latest) [INF] Current nuclei-templates version: v9.9.0 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 164 [INF] Templates loaded for current scan: 1 [WRN] Loading 1 unsigned templates for scan. Use with caution. [DBG] Javascript Protocol request variables: 1. FQDN => 2. Host => 3. Hostname => 4. Port => 5. data => ${i} [VER] [ldap-obb] Sent Javascript request to [DBG] Javascript Protocol response variables: 1. FQDN => 2. Host => 3. Hostname => 4. Port => 5. data => ${i} 6. host => 7. interactsh-server => 8. ip => 9. javascript_FQDN => 10. javascript_Host => 11. javascript_Hostname => 12. javascript_Port => 13. javascript_data => ${i} 14. javascript_host => 15. javascript_ip => 16. javascript_matched => 17. javascript_request => Export(template.data) 18. javascript_response => ${i} 19. javascript_success => true 20. javascript_type => javascript 21. matched => 22. request => Export(template.data) 23. response => ${i} 24. success => true 25. template-id => ldap-obb 26. template-info => {ADObject represents an A .... ap verified:true] <nil> } 27. template-path => /Users/tarun/Codebase/nuclei/a.yaml 28. type => javascript [ldap-obb] [javascript] [high] ... omitted for simplicity ... [VER] [ldap-obb] Sent Javascript request to [DBG] Javascript Protocol response variables: 1. FQDN => 2. Host => 3. Hostname => 4. Port => 5. data => ${i} 6. host => 7. interactsh-server => 8. ip => 9. javascript_FQDN => 10. javascript_Host => 11. javascript_Hostname => 12. javascript_Port => 13. javascript_data => ${i} 14. javascript_host => 15. javascript_ip => 16. javascript_javascript_FQDN => 17. javascript_javascript_Host => 18. javascript_javascript_Hostname => 19. javascript_javascript_Port => 20. javascript_javascript_data => ${i} 21. javascript_javascript_host => 22. javascript_javascript_ip => 23. javascript_javascript_javascript_FQDN => 24. javascript_javascript_javascript_Host => 25. javascript_javascript_javascript_Hostname => 26. javascript_javascript_javascript_Port => 27. javascript_javascript_javascript_data => ${i} 28. javascript_javascript_javascript_host => 29. javascript_javascript_javascript_ip => 30. javascript_javascript_javascript_javascript_FQDN => 31. javascript_javascript_javascript_javascript_Host => 32. javascript_javascript_javascript_javascript_Hostname => 33. javascript_javascript_javascript_javascript_Port => 34. javascript_javascript_javascript_javascript_data => ${i} 35. javascript_javascript_javascript_javascript_host => 36. javascript_javascript_javascript_javascript_ip => 37. javascript_javascript_javascript_javascript_javascript_FQDN => 38. javascript_javascript_javascript_javascript_javascript_Host => 39. javascript_javascript_javascript_javascript_javascript_Hostname => 40. javascript_javascript_javascript_javascript_javascript_Port => 41. javascript_javascript_javascript_javascript_javascript_data => ${i} 42. javascript_javascript_javascript_javascript_javascript_host => 43. javascript_javascript_javascript_javascript_javascript_ip => 44. javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 45. javascript_javascript_javascript_javascript_javascript_javascript_Host => 46. javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 47. javascript_javascript_javascript_javascript_javascript_javascript_Port => 48. javascript_javascript_javascript_javascript_javascript_javascript_data => ${i} 49. javascript_javascript_javascript_javascript_javascript_javascript_host => 50. javascript_javascript_javascript_javascript_javascript_javascript_ip => 51. javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 52. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 53. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 54. javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 55. javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i} 56. javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 57. javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 58. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 59. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 60. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 61. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 62. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i} 63. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 64. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 65. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 66. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 67. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 68. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 69. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i} 70. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 71. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 72. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_FQDN => 73. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Host => 74. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Hostname => 75. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_Port => 76. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_data => ${i} 77. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_host => 78. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_ip => 79. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 80. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 81. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i} 82. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true 83. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript 84. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 85. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 86. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i} 87. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true 88. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript 89. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 90. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 91. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i} 92. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true 93. javascript_javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript 94. javascript_javascript_javascript_javascript_javascript_javascript_javascript_matched => 95. javascript_javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 96. javascript_javascript_javascript_javascript_javascript_javascript_javascript_response => ${i} 97. javascript_javascript_javascript_javascript_javascript_javascript_javascript_success => true 98. javascript_javascript_javascript_javascript_javascript_javascript_javascript_type => javascript 99. javascript_javascript_javascript_javascript_javascript_javascript_matched => 100. javascript_javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 101. javascript_javascript_javascript_javascript_javascript_javascript_response => ${i} 102. javascript_javascript_javascript_javascript_javascript_javascript_success => true 103. javascript_javascript_javascript_javascript_javascript_javascript_type => javascript 104. javascript_javascript_javascript_javascript_javascript_matched => 105. javascript_javascript_javascript_javascript_javascript_request => Export(template.data) 106. javascript_javascript_javascript_javascript_javascript_response => ${i} 107. javascript_javascript_javascript_javascript_javascript_success => true 108. javascript_javascript_javascript_javascript_javascript_type => javascript 109. javascript_javascript_javascript_javascript_matched => 110. javascript_javascript_javascript_javascript_request => Export(template.data) 111. javascript_javascript_javascript_javascript_response => ${i} 112. javascript_javascript_javascript_javascript_success => true 113. javascript_javascript_javascript_javascript_type => javascript 114. javascript_javascript_javascript_matched => 115. javascript_javascript_javascript_request => Export(template.data) 116. javascript_javascript_javascript_response => ${i} 117. javascript_javascript_javascript_success => true 118. javascript_javascript_javascript_type => javascript 119. javascript_javascript_matched => 120. javascript_javascript_request => Export(template.data) 121. javascript_javascript_response => ${i} 122. javascript_javascript_success => true 123. javascript_javascript_type => javascript 124. javascript_matched => 125. javascript_request => Export(template.data) 126. javascript_response => ${i} 127. javascript_success => true 128. javascript_type => javascript 129. matched => 130. request => Export(template.data) 131. response => ${i} 132. success => true 133. template-id => ldap-obb 134. template-info => {ADObject represents an A .... ap verified:true] <nil> } 135. template-path => /Users/tarun/Codebase/nuclei/a.yaml 136. type => javascript [ldap-obb] [javascript] [high]
this can be observed in cloud checks because each of those templates utilize for loop
tagging for visibility since it can has direct impact on RAM/Memory usage
cc: @Ice3man543 @Mzack9999 @ehsandeep
Nuclei version:
main | latest
Current Behavior:
When any template that use flow and contains any sort of loop ( for , while ) is executed , due to implicit storage of variables of every protocol
while this may not have visible effect in javascript but will have significant impact if http protocol is present. it has 2 impacts
Expected Behavior:
Anything else: